someone asked: What is the difference between HTTP and HTTPS?
HTTP, the full name "Hyper Text Transfer Protocol", is the default protocol used when visiting a Web site from a browser. Because the data transfer between the browser and the website is plaintext, it is vulnerable to man-in-the-middle attack and eavesdropping, and not suitable for transmission of sensitive information such as bank account, password, etc. such as Sina http://www.sina.com.cn.
HTTPS, on behalf of Hyper Text Transfer Protocol Secure, the SSL/TLS encryption and authentication functions into the HTTP protocol, before the information is transmitted through the SSL/TLS protocol encryption, the received information will first be decrypted by the browser, and then show that So as to ensure the security of online transactions. HTTPS is widely used in the fields of online trading \ Payment \ Sensitive information download (such as e-mail). such as ICBC Online banking
How to enable HTTPS
In order to prepare the Web server for accepting HTTPS connections, an administrator must create an SSL certificate for the Web server. This certificate must be accepted by a certificate authority that is trusted by a browser, such as VeriSign, GlobalSign, GeoTrust, Thawte, Comodo, and so on. When the browser is published, it has built in the signature certificate of the primary certification authority, enabling them to verify the certificate they signed.
Get a certificate
is to purchase a trusted international SSL certificate from an SSL agent. Users do not need to install plug-ins and are directly accessible.
There are also untrusted CA institutions or individuals that issue self-signed certificates, but users need to manually add the signed certificate that is not built into the browser to the list of trusted root certificates.
TLS and SSL protocol
The Transport layer Socket and secure Socket layer are essentially the same, which is a security protocol that combines encryption and authentication, and is supported by default for all applications, such as browsers, Iis,apache,exchange servers, and so on.
TLS was developed into the standard RFC5246 of the IETF of the International Standard Organization on the basis of SSL (launched by the earliest browser vendor Netscape).
The TLS protocol allows client/server applications to communicate over the network to prevent eavesdropping, interference, and falsification of information.
TLS uses encryption and digital signature technology to provide authentication and communication over the Internet at the point of confidentiality. The encryption strength can reach 1024 or 2048 bits.
In typical end-user/browser use, TLS authentication is unilateral: only the server authenticates (the client knows the identity of the server), not the opposite (the client is still unauthenticated or anonymous). Strictly speaking, server authentication is not exactly the same as the browser (tool) and end user (personal) meaning. For a browser, it simply means that the browser authenticates the server's certificate, that is, the issuing authority that checks the server certificate is trusted and has a complete chain of trust. Once verified, the browser displays a security icon (such as a "small lock" on the status bar). However, simply verify that the server is not "OK" to the end user.
For end users, it is a good idea to do one of the following: Check the root information of the certificate authority and the CA trust chain of the certificate.
In particular: in the "small lock" icon, does not mean that the site visited is trustworthy, but the browser to the site information is encrypted, to avoid misunderstanding. A malicious Web site cannot use a valid certificate from another site, because their URL and SSL certificate are one by one corresponding. Because only trusted CAs can embed URLs in certificates, it is a good way to ensure that URLs that are clearly identified with the URL specified in the certificate are checked against the real site.
TLS also supports a more secure two-way authentication mode (typically in an enterprise application) where a client (usually a browser) verifies not only the secure Web site, but also the identity of the client (requiring the installation of a client or a personal certificate). Clients that require two-way authentication also hold certificates.
The establishment of the TLS/SSL protocol involves three basic stages:
1. Peer negotiation for algorithm supporthttp://en.wikipedia.org/wiki/transport_layer_security peering negotiation
2. Key exchange and authentication key exchange and authentication
3. Symmetric cipher encryption and message authentication symmetric password encryption and messaging authentication
OpenSSL is a strong Secure Sockets Layer cipher library that includes key cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides a rich set of applications for testing or other purposes. After OpenSSL was exposed to a critical security vulnerability, it found that most websites encrypted via the SSL protocol use an open source package called OpenSSL. Because this is the Internet application the most extensive secure transmission method, by the net silver, the online payment, the e-commerce website, the portal website, the e-mail and so on important website widespread use, therefore this flaw affects the broad scope. The OpenSSL vulnerability not only affects sites beginning with HTTPS, but hackers can also exploit this vulnerability to initiate a "heart Bleed" (Heartbleed) attack directly on personal PCs. It is analyzed that there is a large number of software on windows that use a vulnerable OpenSSL code base that could be hacked to crawl memory data on a user's computer.
For more information, see
Http://en.wikipedia.org/wiki/Transport_Layer_Security
What is the connection between SSL and Https,http